Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Default host to localhost when in development mode. #514

Merged
merged 5 commits into from

4 participants

@postmodern

Running Rack apps on 0.0.0.0 in development mode will allow malicious users on the local network (ex: a Coffee Shop or a Conference) to abuse or potentially exploit the app. Safer to default host to localhost when in development mode.

Also default the :Host option to localhost, when in development, in Rack::Handler::WEBrick, Rack::Handler::Mongrel, Rack::Handler::Thin.

postmodern added some commits
@postmodern postmodern Default host to localhost when in development mode.
* Running Rack apps on 0.0.0.0 in development mode will allow malicious
  users on the local network (ex: a Coffee Shop or a Conference) to abuse
  or potentially exploit the app. Safer to default host to localhost when in
  development mode.
28b0144
@postmodern postmodern Rack::Handler::WEBrick: default the host to localhost in development …
…mode.
5a9169d
@postmodern postmodern Rack::Handler::Mongrel: default the host to localhost in development …
…mode.
5d2edd8
@postmodern postmodern Rack::Handler::Thin: default the host to localhost in development mode. 8377df0
@raggi
Owner

Using a hostname can cause issues on some systems where servers don't properly support ipv6. Should we prefer 127.0.0.1?

@postmodern

Using 127.0.0.1 would assume the system supports IPv4. Better to use localhost and let /etc/hosts map it to the correct address/interface.

@cypher

Either way, right now the valid_options returns incorrect documentation for the default host value where applicable (it says localhost right now, at least for Thin and Mongrel). So if this pull request is rejected, that method should be updated to use the correct default host.

@raggi Would it avoid the issues you mentioned if we use Socket.ip_address_list to detect the IP for localhost?

@postmodern

Fixed valid_options. I noticed there is some repetition among the valid_options methods. Perhaps they could be extracted to a common Handler class/module?

@brynary

Wouldn't a better default be localhost in production too? For example, in the common configuration of Ruby behind Nginx on an EC2 server. 0.0.0.0 seems better as an opt-in behavior.

@postmodern

@brynary Good idea. I don't know how that might affect Phusion Passenger or Heroku (they default to using WEBrick). In the past, I would configure Thin to explicitly listen on localhost:9000.

@brynary
@raggi raggi merged commit 15796c4 into from
@raggi
Owner

Thanks

@p8952 p8952 referenced this pull request from a commit in p8952/rack
@p8952 p8952 Update to reflect changes in #514 076711a
@lucasfais lucasfais referenced this pull request in azukiapp/azk
Closed

Improve generator for ruby apps using rack gem #218

@tenderlove tenderlove referenced this pull request from a commit
@p8952 p8952 Update to reflect changes in #514 374b315
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 10, 2013
  1. @postmodern

    Default host to localhost when in development mode.

    postmodern authored
    * Running Rack apps on 0.0.0.0 in development mode will allow malicious
      users on the local network (ex: a Coffee Shop or a Conference) to abuse
      or potentially exploit the app. Safer to default host to localhost when in
      development mode.
  2. @postmodern
  3. @postmodern
  4. @postmodern
Commits on Feb 28, 2013
  1. @postmodern
This page is out of date. Refresh to see the latest.
View
5 lib/rack/handler/fastcgi.rb
@@ -30,8 +30,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
"File=PATH" => "Creates a Domain socket at PATH instead of a TCP socket. Ignores Host and Port if set.",
}
View
10 lib/rack/handler/mongrel.rb
@@ -7,8 +7,11 @@ module Rack
module Handler
class Mongrel < ::Mongrel::HttpHandler
def self.run(app, options={})
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
server = ::Mongrel::HttpServer.new(
- options[:Host] || '0.0.0.0',
+ options[:Host] || default_host,
options[:Port] || 8080,
options[:num_processors] || 950,
options[:throttle] || 0,
@@ -39,8 +42,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
"Processors=N" => "Number of concurrent processors to accept (default: 950)",
"Timeout=N" => "Time before a request is dropped for inactivity (default: 60)",
View
5 lib/rack/handler/scgi.rb
@@ -17,8 +17,11 @@ def self.run(app, options=nil)
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
View
10 lib/rack/handler/thin.rb
@@ -6,7 +6,10 @@ module Rack
module Handler
class Thin
def self.run(app, options={})
- host = options.delete(:Host) || '0.0.0.0'
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
+ host = options.delete(:Host) || default_host
port = options.delete(:Port) || 8080
args = [host, port, app, options]
# Thin versions below 0.8.0 do not support additional options
@@ -17,8 +20,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
View
10 lib/rack/handler/webrick.rb
@@ -6,7 +6,10 @@ module Rack
module Handler
class WEBrick < ::WEBrick::HTTPServlet::AbstractServlet
def self.run(app, options={})
- options[:BindAddress] = options.delete(:Host) if options[:Host]
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
+ options[:BindAddress] = options.delete(:Host) || default_host
options[:Port] ||= 8080
@server = ::WEBrick::HTTPServer.new(options)
@server.mount "/", Rack::Handler::WEBrick, app
@@ -15,8 +18,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
View
7 lib/rack/server.rb
@@ -185,11 +185,14 @@ def options
end
def default_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- :environment => ENV['RACK_ENV'] || "development",
+ :environment => environment,
:pid => nil,
:Port => 9292,
- :Host => "0.0.0.0",
+ :Host => default_host,
:AccessLog => [],
:config => "config.ru"
}
Something went wrong with that request. Please try again.